Bitcoin Gambling Site Explains How It Was Hacked for $1 Million
When done well, a casino, online or otherwise, can be one heck of a money maker. Amongst the many difficulties of the operation, though, is the fact that there are always people trying to not just beat the house for as much money as possible – after all, that’s the game – but actually trying to cheat the casino out of its (presumably) fairly-earned money. I have always found that dynamic interesting. Casinos are one of the few businesses where people frequently applaud cheaters. I mean, hey, the deck is stacked for the casino, so we’re just trying to even the odds, right? RIGHT?
This past weekend, one online gambling operator revealed that it was victimized by one of the more unscrupulous hackers you’ll ever read about. The guy has no sympathy whatsoever. The story was relayed on the website Medium.com by someone named “Stunna,” who appears to be one of the people in charge of the Bitcoin gambling site, Primedice.
Primedice is one of the most plain, basic internet gaming sites you will ever find. No poker, no craps, no sports betting, just rolling a virtual 100-sided die. Players deposit money – Bitcoin only – then choose a bet amount and then either how much they want to get paid if they win or what they want their win probability to be. Payouts increase as win probability decreases. Then they click a button to “roll the dice.” Primedice’s random number generator (RNG) spits out a number from zero to 100, extended to two decimal places, and compares that to the win scenario selected. Winners are paid the amount pre-determined by the player’s selections.
For example, a player might select a win probability of 80 percent, which would payout 1.238 times the bet if the roll results in a number under 80.00. If the RNG produces a value of 64.32 (or 14.28 or 76.01…you get the picture), the player wins. Alternatively, the player could choose that a roll above 19.99 is a winner; it’s the same thing, it just reads differently.
That’s all there is to it. It’s a roll of the dice. The site constantly scrolls rolls that are being made so everyone can see the results of their own or other players’ attempts.
Now on to Stunna’s story. It started back in August 2014 – the third version of Primedice had launched after a very short closed beta period and suddenly two players named Nappa and Kane were kicking butt. Their betting patterns were odd: Kane was automatically cashing out his Bitcoins, while Nappa just kept winning and winning. Primedice held his withdrawals for review, but since no funny business was detected, it let them go through.
In September, a new account named Hufflepuff appeared, one which Primedice now knows was made by the same person behind Kane and Nappa. Hufflepuff was the biggest whale in the history of the site, betting $8,000 EVERY SECOND for several hours at a time. Normally, a gambling site would love this, but Hufflepuff kept winning. Again, Primedice couldn’t find any foul play, so it had to let the player cash out his Bitcoins.
A couple days after Hufflepuff took his leave of Primedice, the site’s main developer figured out what happened. I’m not incredibly well-versed on all the RNG machinations, but as Primedice explains it, the site generates an encrypted random value called the “server seed” and the player’s computer does the same, called a “client seed.” The two seeds are combined and used to come up with the random dice roll. To prove that the roll was fair and everything is on the up-and-up, Primedice actually shows the player the server seed, decrypted, when the roll is completed. Of course, a new server seed is generated for the next roll.
Hufflepuff figured out how to throw a monkey wrench into the works, though. Said Stunna:
Hufflepuff found a way to “confuse” our server, and made it give out a decrypted server seed that was also an active seed. This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second. The result of this is that he knew all the information required to corroborate the outcomes of his bets. He knew whether if he would win or lose, and could wager accordingly.
Essentially, because Hufflepuff was able to see the server seed in advance, he was able to also figure out what the dice roll was going to be. Therefore, he couldn’t lose in the long run.
The Hufflepuff/Kane/Nappa accounts made off with over 2,400 Bitcoins, which were valued at around $1 million at the time. One of the big problems Primedice faced was that Bitcoin is an anonymous, peer-to-peer cyber-currency. They had no personal information on the thief, no bank to look to for help. Primedice does have some information, such as Hufflepuff’s e-mail, IP address, and some data related to his Bitcoin transactions, but really, Hufflepuff is a ghost.
Primedice did track him down on a Bitcoin-related forum and demanded he give back the money. Bad move. Hufflepuff proceeded to make another account, named Robbinhood, and win another 2,000+ Bitcoins, even though Primedice thought it had patched its RNG. The Robbinhood account was only able to make off with a small fraction of those winnings, though, because Primedice did not have enough active funds readily available for him to cash out the whole wad.
Soon thereafter, the hacker sent a message to Primedice which read, “Your offer is declined. Your demands are laughable. I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit. Your move.
Oh, and by the way, there are some pending withdrawals that you need to process.”
Ok, remember that thing earlier about applauding cheaters? I certainly don’t condone this sort of activity and I hope the guy somehow gets caught (it’s been almost a year – he won’t), but damn if I’m not a little impressed.